Does the CCPA require data minimization with regard to the collection and use of information?
No.
The European GDPR permits a company to collect only that information which is “adequate, relevant and limited to what is necessary in relation to the purposes” for which the information is to be processed.”[1] As a result, a company arguably is not permitted to collect personal data that is not “necessary” for a specific processing purpose. The requirement that a company limit the type and quantity of information that it collects is often referred to as “data minimization.”
Data minimization is not addressed by most privacy laws in the United States, and it is not mandated by the CCPA.
Unlike the CCPA, the California Privacy Rights Act of 2020 (the “CPRA”) – which will be on the ballot in California in November – purports to contain a data minimization requirement. The CPRA states that a “business’ . . . collection [and] use” of a consumer’s personal information shall be “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed . . . .:”[2] The CPRA further states that a business “shall not retain a consumer’s personal information or sensitive personal information . . . for longer than is reasonably necessary” for the purpose for which it was collected.[3]
Does the CCPA require data minimization with regard to the storage of information?
No.
The European GDPR permits a company to retain personal data for “no longer than is necessary for the purposes for which the personal data are processed.”[4] As a result, if a company no longer needs information to accomplish a specific purpose, the company is, theoretically, required to delete that information. The requirement that a company keep information for the least amount of time needed is often referred to as “storage limitation” and, by many privacy advocates, falls within the larger rubric of “data minimization.’
Data minimization is not addressed by most privacy laws in the United States, and it is not mandated by the CCPA. Privacy laws in the United States that do touch-upon data minimization generally do not require it; instead they recommend it as a best practice or as a condition for achieving a safe harbor from allegations of improper security. For example, the New York Shield Act states that a business is “deemed to be in compliance” with the requirement within that statute that the business must develop reasonable safeguards to protect certain information if, among other things, the business “disposes of private information within a reasonable amount of time after it is no longer needed for business purposes….”[5]
Unlike the CCPA, the California Privacy Rights Act of 2020 (the “CPRA”) – which will be on the ballot in California in November – purports to contain a data minimization requirement. The CPRA states that a “business’ . . . retention . . . of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed . . . .:”[6] The CPRA further states that a business “shall not retain a consumer’s personal information or sensitive personal information . . . for longer than is reasonably necessary” for the purpose for which it was collected.[7]
[1] GDPR, Article 5(1)(c).
[2] Proposed 1798.100(c).
[3] Proposed 1798.100(a)(4).
[4] GDPR, Article 5(1)(e).
[5] New York Bus.Law § 899-bb(2)(a), (b)(ii)(C)(4).
[6] Proposed 1798.100(c).
[7] Proposed 1798.100(a)(4).